New data breach privacy laws in effect – what does this mean for schools?
Today marks the commencement of the Notifiable Data Breach (NDB) Scheme under the Privacy Act 1988 (Cth) (Privacy Act). Non-government schools must now be aware of their new obligations under the Privacy Act and more importantly, understand how to comply with them in order to prevent and deal with a data breach.
As schools are aware, a vast array of personal information is obtained and kept by schools about students, former student, parents and staff. For example, contact details, bank details, family information, medical records, photos … an almost endless list. For this reason, it is paramount for schools to practice privacy everyday to ensure that the collection, storage, use and disclosure of information about all its stakeholders complies with the Privacy Act and the Australian Privacy Principles (APPs).
Latest OAIC Guidance
In the lead up to today, the Office of the Australian Information Commissioner released a new 64 page guidance material “Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)” (Data Breach Guide). Given the close timing between the release of the Data Breach Guide and the NDB Scheme taking effect today, schools should not panic about reading it urgently if they already have implemented policies and procedures to comply with the NDB requirements. But the Data Breach Guide will be a useful tool moving forward in case a breach occurs.
What is a data breach?
As stated in previous School Governance articles, the NDB Scheme prevents schools from concealing eligible data breaches if the breach is considered to result in serious harm to the affected person(s). Under section 26WE of the Privacy Act, an eligible data breach occurs where:
- there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.
For more information on what are eligible data breaches (also known as Notifiable Data Breaches) and how to deal with them, please see here. It is important to be aware that not all breaches will amount to a NDB.
Effects of data breaches
A data breach will not only affect schools, it will affect many organisations from small business to multinational organisations. Prime examples of this would be the cases of Yahoo, Uber and Equifax.
In 2013, Yahoo experienced one of the biggest cyber attacks in recent history which affected all of its three billion user accounts. Apparently, no financial information was stolen but what was taken by hackers were names, email addresses and passwords. The breach was not disclosed to the public until October 2017.
In July 2017, Credit rating agency Equifax, announced that “criminals” exploited a vulnerability in web-based application which gave them access to user details of nearly 145 million people.
In 2016, Uber experienced a massive hack of 57 million users. The breach was not reported to users of the ride-sharing service until a year later in November 2017.
The ACCC released a report estimating that a cyber security attack can cost Australian small and medium sized businesses between $1,000 – $5000, which is mostly unrecoverable after a breach has occurred. What is of greater significance is the reputational damage which may be sustained that can affect future business, such as student enrolments.
To emphasise how concerned Australians are about privacy, the Office of the Australian Information Commissioner (OAIC) released the Australian Community Attitudes to Privacy Survey 2017, which revealed some surprising statistics about privacy in Australia including:
- 69% of Australians say they are more concerned about their online privacy than they were five years ago
- 83% think there are greater privacy risks dealing with an organisation online, compared to in traditional settings
- 93% of Australians do not want their information to be sent overseas
- 79% do not want their data to be share with other organisations
- 65% of Australians do not regularly read the privacy policies of websites they use
- 43% of Australians do not regularly adjust the privacy settings on their social media accounts.
How to minimise the risk?
Non-government schools who are governed by the Privacy Act and APPs may be subject to significant financial penalties for failing to comply with requirements under the NDB Scheme. The financial penalties that can be imposed for non-compliance are:
- $2.1 million for organisations
- $420,000 for individuals.
To avoid these severe financial penalties, non-government schools need to document and implement a Privacy Program. The table below lists features of such a Program:
|Document a Privacy Program (why, what, how, who, when).||
|Appoint a Privacy Officer.||
|Conduct a Personal Information Management Audit to test the security of personal information protection processes and procedures.||
|If you are a Credit Provider, document a Credit Reporting Policy.||
|Ensure all Information Collection Forms include a Privacy Collection Notice.||
|Ensure all direct marketing communications set out clear “opt out” provisions.||
|Ensure that your complaints and incident management systems are working.||
|Create a Data Breach Response Plan to document how your will respond to a Notifiable Data Breach.||
|Establish a Data Breach Response Team to assist the Privacy Officer in the event of a Data Breach.||
|Train your staff on privacy issues.||
|Establish practices, systems and procedures to ensure your school’s ongoing compliance with your privacy obligations through a Compliance Program.||
|Establish practices, systems and procedures to ensure that your Privacy Program is being effectively monitored and regularly reviewed.|
In the event of a NDB, the school’s Privacy Officer will establish a Data Breach Response Team (DBRT). The DBRT is responsible for assisting the Privacy Officer in investigating the breach and notifying the OAIC when required. The DBRT may include members of staff including management, members from the school’s IT department and members from other areas of the school as required. The nature of the breach will determine who will form part of the DBRT.
A Data Breach Response Plan sets out procedures and clear lines of authority for the school in the event that it experiences circumstances that amount to a data breach or a NDB. The response is intended to help the school to contain, assess and respond to data breaches in a timely fashion, to help mitigate potential harm to affected individuals and to meet NDB obligations under the Privacy Act.
For more information on the requirements of the NDB Scheme, CompliSpace has written a Briefing Paper: Privacy update: Mandatory Notification of Data Breaches & Complaints Handling Update.
Is your school ready for the NDB Scheme?
William Kelly is a School Governance reporter. He can be contacted here.